NAT on the ASA

NAT configuration is always something that draws a lot of attention. NAT can perform lots of different functions in many different configurations. That being said, it can be complex to understand at first. However, I think its probably more important to understand NAT than any other function on the ASA’s. If you don’t fully understand the concept you can get yourself in a lot of trouble real fast. So lets get right into it and look at a couple of scenarios and examples. In this post I’m going to talk about the most common NAT configurations. In upcoming posts we’ll talk about NAT DMZ configurations and policy NAT.

The standard 5505 overloadI call this the ‘standard’ because its pretty typical to see on a 5505 box. The client usually has 1 external IP and has a couple of services with a single subnet behind it. Nothing too special here.

So, what does this mean? Lets break it down. The Global Commandglobal – Indicates that we are defining a global address pool. This can either be a pool of addresses or a single IP that’s being overloaded through the use of PAT (outside) – The item in the parenthesis is the interface we are defining the pool on. In this case, its the outside interface 1 – Specifies the ID of the pool, this will be matched up against the internal NAT pool interface – The interface keyword specifies that PAT is being used with the IP defined on the interface. PAT (also referred to as overload) uses a single external IP address for all of the clients in the NAT pool. To make the distinction clear, NAT usually means that you are using a pool of IP’s and PAT usually means you are using one external IP.

The Nat commandnat – The NAT command is what you use to associate a network with a pool of global addresses (inside) – The item in the parenthesis is the interface in which the NAT network exists. In this case its going to be on the inside interface 1 – This number is what is used to pair the global and NAT statements together. In other words, global pool 1 will be used with NAT network 1. 0.0.0.0 0.0.0.0 – Translates to mean all networks. If there is only a single internal subnet that requires translation this could just as easily read something like ‘192.168.127.0 255.255.255.0’.

Summary This configuration PATs all of the internal traffic heading out to the public network to the single IP address defined on the external interface.

Defining an actual NAT pool Lets take the same scenario as above but define a real pool of IP’s for inside clients to NAT to.

This configuration is exactly the same as above save the fact that we defined a range of IPs for NAT to use. In this scenario, users that were heading out to the public network would use one of the actual IPs defined within the range rather than all using the same IP in an overloaded configuration.

Putting them together. We’ve reviewed two options for basic NAT at this point. One using NAT overload and one defining a NAT pool. These are the classic NAT/PAT examples and they both work equally well in different scenarios. However option 2 has a gotcha attached to it. Lets say that you have 30 users and 20 IPs defined in your NAT pool. What happens when the 21st users attempts to make a NAT request? Nothing. Since you are out of IP addresses there isn’t one for that user to use. The best practice is to define a single NAT overload in addition to the range of IPs. That way, if the NAT pool fills up, subsequent users can start using PAT. An example is shown below.

The ASA will evaluate any range definitions prior to moving to PAT on the single IP. So here we took the last IP in the range and defined it for PAT in the case that our NAT range becomes oversubscribed. Seeing as the ASA cant PAT approximately 64,000 sessions through a single external IP, one PAT statement is usually enough. If you wish two PAT ranges can be defined and will be used in order.

Summary In this post we took a look at what I would call basic NAT/PAT’. The idea of this post was to get you familiar with build blocks of NAT and see a couple of common implementations. In the next couple of posts we’ll talk about policy NAT and NAT configuration with a DMZ interface.